Weekly podcast: NHS Digital, Typeform and ICO registration fine

This week, we discuss the unauthorised sharing of 150,000 patients’ confidential health data, the first ripples from the Typeform data breach, and a £4,500 fine for a company that didn’t register with the ICO.

Hello and welcome to the IT Governance podcast for Friday, 6 July. Here are this week’s stories.

NHS Digital has blamed a third-party coding error for a data breach in which the confidential health information of 150,000 patients was shared against their will.

Patients who registered what were known as type 2 opt-outs at GP surgeries that used TPP’s SystmOne software after 31 March 2015 nevertheless had their confidential health information shared by NHS Digital for use in clinical research because their objections to its being used for anything other than their own care were not passed on.

“TPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patients’ wishes on how their data is used are always respected and acted upon.

“NHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld.

“There is not, and has never been, any risk to patient care as a result of this error.”

The Information Commissioner’s Office and the National Data Guardian for Health and Care, Dame Fiona Caldicott, have been notified.

Typeform identified the breach on 27 June and remedied its apparent cause half an hour later.

Numerous organisations have been affected, including the Tasmanian Electoral Commission in Australia, which warned voters who applied for express votes at recent elections that their “name, address, email and date of birth information” had been compromised; the online bank Monzo, about 20,000 of whose customers’ personal data was “likely to have been included in the breach”; the Piccadilly grocer Fortnum & Mason, 23,000 of whose customers’ personal data was compromised; and the frankly rather splendidly named Shavington-cum-Gresty Parish Council, which saw the information of 304 people who filled in its surveys affected.

Typeform has about 30,000 clients, so there are likely to be many, many more breach notifications to come. The number of those clients’ customers – that is, the number of individuals likely to be affected by the incident – is impossible to quantify at this stage, but is likely to be considerable.

“If your organisation has been affected by the Typeform incident and you have enough information to establish that there may be a risk to your customers, you should report the breach to the ICO. If we need further information we will be in contact with you.

“You should consider how your customers may be affected by the breach. If you think there is a high risk to their rights and freedoms, you need to tell them about the breach without delay. You should tell them about any steps you are taking to mitigate the effects of the breach and provide them with advice on what to do to protect themselves.”

Under the new Data Protection (Charges and Information) Regulations 2018, which came into force on 25 May this year (the same day as the GDPR), data controllers must still register with the ICO and pay a data protection fee each year, but it’s no longer a criminal offence not to.

However, the ICO does have the power to enforce the new regulations and serve monetary penalties of up to £4,350 on those that don’t pay their fees.

These fees range from £40 for micro organisations to £2,900 for large organisations. A public consultation on exemptions from paying charges is currently underway.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

Share this:

About The Author

Punctilious about punctuation and scrupulous about syntax, Neil is nevertheless painfully aware of Muphry's Law. He has worked at IT Governance for over five years, writing about all IT governance subjects. He also presents the weekly podcast.

2 Comments

Chris Dockree9th July 2018

Can you please clarify the point regarding Data Protection Regulation 2018 and registering with ICO? What is the point if there is no penalty?

Neil Ford13th July 2018

Hi Chris,

Thanks for getting in touch.

Not notifying/registering under the Data Protection Act 1998 was a criminal offence.

Not registering under the Data Protection (Charges and Information) Regulations 2018 is a civil offence.

There’s still a penalty.

If you don’t register under the Data Protection (Charges and Information) Regulations 2018, you can be fined up to £4,350.

This document from the Information Commissioner’s Office explains about the fee in more detail: